twitter

Hack The Box: Dropzone

Difficulty: Medium
Machine Creator: eks& rjesh
Tools Used:

NMAP
TFTP
Metasploit
NC
Streams

Task: To find User.txt and Root.txt
Network Enumeration

Let’s start with an NMAP scan.

nmap -sV -sC 10.10.10.90


The TCP scan shows no open ports however the box is up and responding to ICMP requests. Let’s try a UDP scan.

nmap -sU 10.10.10.90


Our UDP scan came back with one port for TFTP.

TFTP

tftp 10.10.10.90


We can test TFTP by attempting to get a file. From this example, we can see that this box is accepting TFTP requests and it also shows that the default directory is the root of the C drive. C:\


We can test if we have system access by attempting to access a file that regular users can’t access. Here we can see that we are not getting access denied so we must be running as system.


To figure out what version of windows this is running we can attempt to access the user directories. As you can see in this example “c:\users” does not exist, however “C:\Documents and Settings” does exist. Also having to access this directory using the short name “/docume~1” makes me think this is an XP box. Short names were used for older drive formatting that had a naming convention of 8 characters or less.


We can test if this is a 64-bit operating system. Using the short names, we can see that “c:\Program Files” is present, however “c:\Program Files (x86)” does not exist so this has to be a 32-bit machine.

Metasploit

Now we need to start generating our payload. We can exploit wmi using the psexec module in MSF.
First, we need to select the psexec module

use exploit/windows/smb/psexec

then we need to drop down into an interactive ruby shell

irb

now we need to generate our mof file. We will include NC command along with our local IP and port 1337.

puts generate_mof(“test1″,”test2”)


We now have the data for our mof file. Copy all of this data and put it into a file.


As you can see from this example, I copied and pasted the output of this command into a file. I named this exploit.mof.


We need to edit our mof file. In the section where the Name = “ASEC” is, replace the test2 with the NC command that we need to run and save the file.

Upload NC.exe

NC.exe is not in windows by default, so we need to upload it using TFTP.

First, we should copy nc.exe to our current directory.

cp /usr/share/windows-binaries/nc.exe

Now we can upload nc.exe to the remote server.


We needed to switch to a binary mode in TFTP and then run put with the full remote location in the system32 directory.

NC Listener

nc -lvnp 1337

1337 is our local port to listen on.

Upload mof file

The directory that we will be uploading to will auto execute the file.

put exploit.mof /windows/system32/wbem/mof/exploit.mof


Once we upload the mof file, we now have remote shell into the remote box.

Root.txt


And now we can read the root.txt. Oh, wait we have a problem.

We have another directory on the desktop for flags lets check that out.


We have another file called “2 for the price of 1!.txt.”
If you noticed the text in this file, we have a couple of hints. ADS is all caps and refers to Alternate Data Streams, and 2 for the price of 1 can mean there are 2 data streams.

Streams

We need to download a program called streams by Sysinternals this will allow us to view alternate data streams.

https://docs.microsoft.com/en-us/sysinternals/downloads/streams


Just like the NC.exe upload, we can upload the streams.exe

Now we can view the file using streams. Sysinternals always requires you to accept the EULA, and we can use a wildcard character for the file name.

streams -accepteula 2*


And as you can see not only are their alternate streams but we now have both the root and user flags.